LGPD

What is LGPD?

The LGPD (Lei Geral de Proteção de Dados), or the Brazilian General Data Protection Law, is comprehensive legislation that safeguards the privacy and security of individuals in Brazil. It is Brazil’s equivalent to the EU’s GDPR and is designed to regulate the collection, use, processing, and storage of personal data by organizations in Brazil.

Overview of LGPD

• Law: Brazilian General Data Protection Law
• Region: Brazil
• Signed into Law: 14-08-2018
• Effective Date: 18-08-2020
• Industry: All industries that do business in Brazil

Personal Data Under The LGPD

LGPD protects two data types in Brazil: personal and sensitive.

• Personal Data: This information can directly or indirectly pinpoint a specific individual. Examples of personal data include name, email address, phone number, physical address, and IP address.
• Sensitive Personal Data: This special category of personal data deserves a higher level of protection due to its sensitive nature. Sensitive personal data includes information about racial or ethnic origin, religious beliefs, political opinions, trade union membership, affiliation with religious, philosophical, or political organizations, health data or sexual life, and genetic or biometric data.

Data Protection Principle

The law outlines eight fundamental principles governing data processing:

• Transparency: Be clear and specific about the data collection and processing purpose.
• Purpose limitation: Collect and process data only for the stated purposes and avoid further processing that is incompatible with those purposes.
• Data minimization: Collect and process only the minimum personal data necessary for the intended purpose.
• Accuracy: Ensure data accuracy and completeness, rectifying errors promptly.
• Security: Implement adequate technical and organizational measures to protect data from unauthorized access, accidental destruction, or alteration.
• Retention limitation: Retain data only for the necessary period to fulfill the processing purpose unless required by law.
• Data transfer: Ensure secure and responsible transfers of personal data outside Brazil, complying with legal requirements.
• Accountability: Demonstrate compliance with the principles and be accountable for personal data processing.

Rights Under LGPD

• Right to access
• Right to rectification
• Right to erasure
• Right to portability
• Right to object
• Right to information about automated decision-making

Who Needs To Comply with LGPD?

Organizations based in Brazil

• Non-profit organizations
• Public and private entities
• Businesses of various scales, ranging from small startups to expansive corporations

Foreign organizations

• Companies offering services or products to individuals in Brazil, even if they have no physical presence in the country
• Data processors working on behalf of Brazilian organizations

Key Exceptions

• Processing for journalistic, artistic, or academic purposes, subject to specific conditions.
• Security incident exemption for non-personal data or low risk.
• Specific rules for public authorities and anonymized data processing.

Compliance Authority For LGPD

As of February 2024, the National Data Protection Authority (ANPD) still needs to be fully operational and enforce the LGPD. However, it plays a crucial role in promoting compliance by:

• Developing and publishing guidelines and directives related to data protection practices.
• Educating organizations and individuals about their rights and obligations under the LGPD.
• Conducting public consultations on legislative changes and regulatory updates.
• Preparing for future enforcement responsibilities.

Regulatory Penalties

Financial penalties:

• Maximum fine: BRL 50 million (approx. USD 9.1 million) per violation.
• Alternative fine: Up to 2% of an organization’s gross annual revenue for the preceding financial year, whichever is higher.
• Multiple violations: Repeated offenses can result in cumulative fines, significantly impacting an organization’s bottom line.

Non-financial Penalties

• Data processing suspension: The ANPD can temporarily or permanently restrict data processing activities.
• Data deletion: The ANPD can order the deletion of illegally collected or processed data.
• Contractual penalties: Non-compliance can trigger contractual penalties with partners and clients.

In conclusion, LGPD (Lei Geral de Proteção de Dados) marks a pivotal development in Brazil’s data protection landscape, mirroring global efforts to fortify individuals’ privacy rights in an increasingly digital world. By aligning with transparency, accountability, and data subject rights principles, LGPD fosters trust between businesses and consumers and underscores the nation’s commitment to upholding robust data protection standards. Organizations can ensure compliance with LGPD while maintaining data usability for legitimate purposes by implementing data security solutions like data masking.

FAQ